A 2012 LinkedIn hack is still causing problems for its users. Linkedin announced this morning that another data set from the hack, which contains over 100 million LinkedIn members’ emails and passwords, has now been posted online. According to Techcrunch, LinkedIn says it’s working to validate the accounts and contact affected users so they can reset their passwords on the site in response to this new data dump.
Hackers broke into LinkedIn’s network wayback in 2012 and stole some 6.5 million encrypted passwords, and posted them onto a Russian hacker forum. Because the passwords were stored as unsalted SHA-1 hashes, hundreds of thousands were quickly cracked.
Now, according to a new report from Motherboard, a hacker going by the name of “Peace” is trying to sell the emails and passwords of 117 million LinkedIn members on a dark web illegal marketplace for around $2,200, payable in bitcoin. In total, the data set includes 167 million accounts, but of those, only 117 million or so have both emails and encrypted passwords.
As this data set also originates from the 2012 hack, these passwords are encrypted in the same way – with “no salt” – meaning they are more easily cracked. In fact, Motherboard states that 90 percent of the passwords were cracked within 72 hours. Several of the victims were still using their same password from 2012, the report also said.
LinkedIn says that it has increased its security measures in the years since the breach, by introducing stronger encryption, email challenges and two-factor authentication. But this hack was from an earlier era, before these protections were in place. They would also not necessarily protect users from hackers who had obtained email and password combinations.
Read the full text of LinkedIn’s statement is below:
In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords. At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure. Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.
We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.